Another one (partially) bites the dust

Following in the footsteps of Lethic, Waledac and Mariposa, yet another botnet has been taken offline. Not completely, though, it was only a partial disconnect. The Zeus botnet, also known as Zbot, is a trojan password stealer that captures passwords and sends them to the attacker. From ITWorld:

March 10, 2010, 04:10 PM — IDG News Service —

Internet service providers linked to the notorious Zeus botnet have been taken down, knocking out a third of the command-and-control servers that run the network of hacked machines.

Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers. Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning.

The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks. "There's lots of Zeus and Fragus exploit kit [sites]," he said. Whoever was behind the takedown "just decided to knock out a large area of cybercrime, and this was probably one of the easiest ways to do it."

Troyak is based in Kostanay, Kazakhstan, according to whois records. The company could not be reached immediately for comment.

The Zeus Tracker administrator, who asked not to be named, said that at first he thought that there had been some type of technical error in the Zeus code. On further investigation, he discovered that Troyak had been taken offline, which in turn knocked the networks hosting the botnet servers off the Internet.

Unlike the Waledac “takedown”, which was removed with a court order, and Mariposa takedown which was done by police authorities, or even the Lethic takedown done by Neustar which operates the .us ccTLD, this time around it was done by eastern European network providers. Thus, this takedown more closely resembles the 2008 McColo takedown which resulted in spam levels plummeting by 40% (our figures) to 70% (others’ figures). According to The Register, the network providers Ukraine-based Ihome and Russia-based Oversun Mercury severed their ties to the ISPs in question (Troyak and Group 3). Unfortunately, it also meant that the legitimate customers on those ISPs also had their ties to the Internet disconnected. I bet their customer support desks had their phones ringing off the hooks. I can just imagine the conversation.

Cisco issued a statement that this takedown “depeered” the botnet. What this means is that the drones that perform the actual password stealing, fast-fluxing, etc, can no longer (temporarily) make contact with command center. The drones are aimless, kind of wandering around with no direction, no purpose and no motivation (a lot like the entire population of Canada would have been had we lost the gold medal game in hockey two weeks ago at the Olympics). It’s kind of like if a military unit were out in the jungle taking orders from central command, and central command is knocked out, the unit will stand around forever doing nothing. The unit is still there, but they are not going to do anything until they get their orders. Since their orders will never come, they will never do anything. It’s classic bureaucracy in action.

It’s important to note three points:

The entire C&C center wasn’t taken down, only about a third of it

It will be rebuilt eventually. The orphaned drones no doubt had some of their instruction locations hard coded, or maybe specified in a config. The botnet operators will send out new malware with new instruction set locations, and users will install the software. These systems will become re-infected and point to other locations upon which to download updates and the whole cycle will start all over again. It will take time, true, but Zeus will be back.

Those who took down this botnet wish to remain anonymous. Whatever their reason is, they aren’t claiming responsibility.